commit d83eee2daa34e44eeaab124274c7d2ce8b9b69ce Author: Taylor Bockman Date: Sat Nov 14 20:55:33 2015 +0000 Initial commit of scripts diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1584071 --- /dev/null +++ b/.gitignore @@ -0,0 +1,13 @@ +*~ +\#*\# +/.emacs.desktop +/.emacs.desktop.lock +*.elc +auto-save-list +tramp +.\#* +.org-id-locations +*_archive +*_flymake.* +*.rel +/auto/ diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..c91db24 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2015 Taylor Bockman + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..41b040f --- /dev/null +++ b/README.md @@ -0,0 +1,13 @@ +# Slackware VPS Configuration + +This is a set of files that I use to configure a remote development VPS. These kinds of boxes are +handy when you don't want to haul a laptop around. + +Here's a list of VPS providers that have Slackware images available: + +*Put list here* + +**These scripts are untested**. They are currently built mostly from my memory of how I configured +the systems before. There are many places commented where I have to devise a good solution on +how to make them work. I would love to have help. + diff --git a/iptables-config/allow_ssh.sh b/iptables-config/allow_ssh.sh new file mode 100755 index 0000000..1b6a00e --- /dev/null +++ b/iptables-config/allow_ssh.sh @@ -0,0 +1,23 @@ +############################################## +# # +# Allow SSH in IPTables # +# Author: Taylor Bockman # +# # +# # +############################################## + +echo "SSH Port:" +read sshport + +echo "Interface: " +read interface + +# Allow incoming SSH +sudo iptables -A INPUT -i $interface -p tcp --dport $sshport -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "SSH Incoming" +sudo iptables -A OUTPUT -o $interface -p tcp --sport $sshport -m state --state ESTABLISHED -j ACCEPT -m comment --comment "SSH Incoming" + +# Allow outgoing SSH +sudo iptables -A OUTPUT -o $interface -p tcp --dport $sshport -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "SSH Outgoing" +sudo iptables -A INPUT -i $interface -p tcp --sport $sshport -m state --state ESTABLISHED -j ACCEPT -m comment --comment "SSH Outgoing" + +echo "Completed opening up SSH on interface $interface, port $sshport." diff --git a/iptables-config/chain-setup.sh b/iptables-config/chain-setup.sh new file mode 100755 index 0000000..fee3e6a --- /dev/null +++ b/iptables-config/chain-setup.sh @@ -0,0 +1,34 @@ +############################################ +# # +# Setup default chains in IPTables # +# Author: Taylor Bockman # +# # +# # +# # +############################################ + +echo "Are you on a VPS? [Y/N]" +read onvps + +if [ $onvps=="Y" ]; +then + echo "Did you open your SSH ports on iptables? Otherwise this will kill your access. [Y/N]" + read openedssh + + if [ $openedssh=="Y" ]; + then + echo "Dropping INPUT and FORWARD..." + sudo iptables -P INPUT DROP + sudo iptables -P FORWARD DROP + echo "INPUT and FORWARD are now dropping traffic. You will have to configure a source and destination for each rule" + else + echo "Please configure your SSH access with IPTables and run this script again" + fi + +else + echo "Dropping INPUT and FORWARD..." + sudo iptables -P INPUT DROP + sudo iptables -P FORWARD DROP + echo "INPUT and FORWARD are now dropping traffic. You will have to configure a source and destination for each rule." +fi + diff --git a/rc.firewall b/rc.firewall new file mode 100755 index 0000000..84cc8bf --- /dev/null +++ b/rc.firewall @@ -0,0 +1,655 @@ +#!/bin/sh +# +# Generated iptables firewall script for the Linux 2.4 kernel and later. +# Script generated by Easy Firewall Generator for IPTables 1.15 +# copyright 2002 Timothy Scott Morizot +# Modified for Slackware Linux by Eric Hameleers +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Special notes: +# - This firewall script uses the output of "hostname -i" to set the right +# interface. This will only work if the hostname can be resolved. +# Further, you may need to use "hostname -I" and parse the output, or +# write a secondary script, to handle this part if you have multiple +# interfaces. +# +# - This also uses route for compatibility with systems that are running +# without the ip command. You may need to adjust the INET_IFACE script to +# grab an interface if you are using one different than the one with the +# default gateway. +# +############################################################################### +# +# Local Settings +# + +# sysctl location. If set, it will use sysctl to adjust the kernel parameters. +# If this is set to the empty string (or is unset), the use of sysctl +# is disabled. + +SYSCTL="/sbin/sysctl -w" + +# To echo the value directly to the /proc file instead +# SYSCTL="" + +# IPTables Location - adjust if needed + +IPT="/usr/sbin/iptables" +IPTS="/usr/sbin/iptables-save" +IPTR="/usr/sbin/iptables-restore" + +# Internet Interface +INET_IFACE="$(route -n | awk '$1 ~ /0.0.0.0/ {print $NF}')" +INET_ADDRESS="$(hostname -i)" + +echo "Configured for interface $INET_IFACE on IP address $INET_ADDRESS" + +# Localhost Interface + +LO_IFACE="lo" +LO_IP="127.0.0.1" + +# Save and Restore arguments handled here +if [ "$1" = "save" ] +then + echo -n "Saving firewall to /etc/sysconfig/iptables ... " + $IPTS > /etc/sysconfig/iptables + echo "done" + exit 0 +elif [ "$1" = "restore" ] +then + echo -n "Restoring firewall from /etc/sysconfig/iptables ... " + $IPTR < /etc/sysconfig/iptables + echo "done" + exit 0 +fi + +############################################################################### +# +# Load Modules +# + +echo "Loading kernel modules ..." + +# You should uncomment the line below and run it the first time just to +# ensure all kernel module dependencies are OK. There is no need to run +# every time, however. + +# /sbin/depmod -a + +# Unless you have kernel module auto-loading disabled, you should not +# need to manually load each of these modules. Other than ip_tables, +# ip_conntrack, and some of the optional modules, I've left these +# commented by default. Uncomment if you have any problems or if +# you have disabled module autoload. Note that some modules must +# be loaded by another kernel module. + +# core netfilter module +/sbin/modprobe ip_tables + +# the stateful connection tracking module +/sbin/modprobe ip_conntrack + +# filter table module +# /sbin/modprobe iptable_filter + +# mangle table module +# /sbin/modprobe iptable_mangle + +# nat table module +# /sbin/modprobe iptable_nat + +# LOG target module +# /sbin/modprobe ipt_LOG + +# This is used to limit the number of packets per sec/min/hr +# /sbin/modprobe ipt_limit + +# masquerade target module +# /sbin/modprobe ipt_MASQUERADE + +# filter using owner as part of the match +# /sbin/modprobe ipt_owner + +# REJECT target drops the packet and returns an ICMP response. +# The response is configurable. By default, connection refused. +# /sbin/modprobe ipt_REJECT + +# This target allows packets to be marked in the mangle table +# /sbin/modprobe ipt_mark + +# This target affects the TCP MSS +# /sbin/modprobe ipt_tcpmss + +# This match allows multiple ports instead of a single port or range +# /sbin/modprobe multiport + +# This match checks against the TCP flags +# /sbin/modprobe ipt_state + +# This match catches packets with invalid flags +# /sbin/modprobe ipt_unclean + +# The ftp nat module is required for non-PASV ftp support +/sbin/modprobe ip_nat_ftp + +# the module for full ftp connection tracking +/sbin/modprobe ip_conntrack_ftp + +# the module for full irc connection tracking +/sbin/modprobe ip_conntrack_irc + + +############################################################################### +# +# Kernel Parameter Configuration +# +# See http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html +# for a detailed tutorial on sysctl and the various settings +# available. + +# Required to enable IPv4 forwarding. +# Redhat users can try setting FORWARD_IPV4 in /etc/sysconfig/network to true +# Alternatively, it can be set in /etc/sysctl.conf +#if [ "$SYSCTL" = "" ] +#then +# echo "1" > /proc/sys/net/ipv4/ip_forward +#else +# $SYSCTL net.ipv4.ip_forward="1" +#fi + +# This enables dynamic address hacking. +# This may help if you have a dynamic IP address \(e.g. slip, ppp, dhcp\). +#if [ "$SYSCTL" = "" ] +#then +# echo "1" > /proc/sys/net/ipv4/ip_dynaddr +#else +# $SYSCTL net.ipv4.ip_dynaddr="1" +#fi + +# This enables SYN flood protection. +# The SYN cookies activation allows your system to accept an unlimited +# number of TCP connections while still trying to give reasonable +# service during a denial of service attack. +if [ "$SYSCTL" = "" ] +then + echo "1" > /proc/sys/net/ipv4/tcp_syncookies +else + $SYSCTL net.ipv4.tcp_syncookies="1" +fi + +# This enables source validation by reversed path according to RFC1812. +# In other words, did the response packet originate from the same interface +# through which the source packet was sent? It's recommended for single-homed +# systems and routers on stub networks. Since those are the configurations +# this firewall is designed to support, I turn it on by default. +# Turn it off if you use multiple NICs connected to the same network. +if [ "$SYSCTL" = "" ] +then + echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter +else + $SYSCTL net.ipv4.conf.all.rp_filter="1" +fi + +# This option allows a subnet to be firewalled with a single IP address. +# It's used to build a DMZ. Since that's not a focus of this firewall +# script, it's not enabled by default, but is included for reference. +# See: http://www.sjdjweis.com/linux/proxyarp/ +#if [ "$SYSCTL" = "" ] +#then +# echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp +#else +# $SYSCTL net.ipv4.conf.all.proxy_arp="1" +#fi + +# The following kernel settings were suggested by Alex Weeks. Thanks! + +# This kernel parameter instructs the kernel to ignore all ICMP +# echo requests sent to the broadcast address. This prevents +# a number of smurfs and similar DoS nasty attacks. +if [ "$SYSCTL" = "" ] +then + echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts +else + $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1" +fi + +# This option can be used to accept or refuse source routed +# packets. It is usually on by default, but is generally +# considered a security risk. This option turns it off. +if [ "$SYSCTL" = "" ] +then + echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route +else + $SYSCTL net.ipv4.conf.all.accept_source_route="0" +fi + +# This option can disable ICMP redirects. ICMP redirects +# are generally considered a security risk and shouldn't be +# needed by most systems using this generator. +#if [ "$SYSCTL" = "" ] +#then +# echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects +#else +# $SYSCTL net.ipv4.conf.all.accept_redirects="0" +#fi + +# However, we'll ensure the secure_redirects option is on instead. +# This option accepts only from gateways in the default gateways list. +if [ "$SYSCTL" = "" ] +then + echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects +else + $SYSCTL net.ipv4.conf.all.secure_redirects="1" +fi + +# This option logs packets from impossible addresses. +if [ "$SYSCTL" = "" ] +then + echo "1" > /proc/sys/net/ipv4/conf/all/log_martians +else + $SYSCTL net.ipv4.conf.all.log_martians="1" +fi + + +############################################################################### +# +# Flush Any Existing Rules or Chains +# + +echo "Flushing Tables ..." + +# Reset Default Policies +$IPT -P INPUT ACCEPT +$IPT -P FORWARD ACCEPT +$IPT -P OUTPUT ACCEPT +$IPT -t nat -P PREROUTING ACCEPT +$IPT -t nat -P POSTROUTING ACCEPT +$IPT -t nat -P OUTPUT ACCEPT +$IPT -t mangle -P PREROUTING ACCEPT +$IPT -t mangle -P OUTPUT ACCEPT + +# Flush all rules +$IPT -F +$IPT -t nat -F +$IPT -t mangle -F + +# Erase all non-default chains +$IPT -X +$IPT -t nat -X +$IPT -t mangle -X + +if [ "$1" = "stop" ] +then + echo "Firewall completely flushed! Now running with no firewall." + exit 0 +fi + +############################################################################### +# +# Rules Configuration +# + +############################################################################### +# +# Filter Table +# +############################################################################### + +# Set Policies + +$IPT -P INPUT DROP +$IPT -P OUTPUT DROP +$IPT -P FORWARD DROP + +############################################################################### +# +# User-Specified Chains +# +# Create user chains to reduce the number of rules each packet +# must traverse. + +echo "Create and populate custom rule chains ..." + +# Create a chain to filter INVALID packets + +$IPT -N bad_packets + +# Create another chain to filter bad tcp packets + +$IPT -N bad_tcp_packets + +# Create separate chains for icmp, tcp (incoming and outgoing), +# and incoming udp packets. + +$IPT -N icmp_packets + +# Used for UDP packets inbound from the Internet +$IPT -N udp_inbound + +# Used to block outbound UDP services from internal network +# Default to allow all +$IPT -N udp_outbound + +# Used to allow inbound services if desired +# Default fail except for established sessions +$IPT -N tcp_inbound + +# Used to block outbound services from internal network +# Default to allow all +$IPT -N tcp_outbound + +############################################################################### +# +# Populate User Chains +# + +# bad_packets chain +# + +# Drop INVALID packets immediately +$IPT -A bad_packets -p ALL -m conntrack --ctstate INVALID -j LOG \ + --log-prefix "fp=bad_packets:1 a=DROP " + +$IPT -A bad_packets -p ALL -m conntrack --ctstate INVALID -j DROP + +# Then check the tcp packets for additional problems +$IPT -A bad_packets -p tcp -j bad_tcp_packets + +# All good, so return +$IPT -A bad_packets -p ALL -j RETURN + +# bad_tcp_packets chain +# +# All tcp packets will traverse this chain. +# Every new connection attempt should begin with +# a syn packet. If it doesn't, it is likely a +# port scan. This drops packets in state +# NEW that are not flagged as syn packets. + + +$IPT -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j LOG \ + --log-prefix "fp=bad_tcp_packets:1 a=DROP " +$IPT -A bad_tcp_packets -p tcp ! --syn -m conntrack --ctstate NEW -j DROP + +$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \ + --log-prefix "fp=bad_tcp_packets:2 a=DROP " +$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP + +$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \ + --log-prefix "fp=bad_tcp_packets:3 a=DROP " +$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP + +$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \ + --log-prefix "fp=bad_tcp_packets:4 a=DROP " +$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP + +$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \ + --log-prefix "fp=bad_tcp_packets:5 a=DROP " +$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + +$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \ + --log-prefix "fp=bad_tcp_packets:6 a=DROP " +$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + +$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \ + --log-prefix "fp=bad_tcp_packets:7 a=DROP " +$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + +# All good, so return +$IPT -A bad_tcp_packets -p tcp -j RETURN + +# icmp_packets chain +# +# This chain is for inbound (from the Internet) icmp packets only. +# Type 8 (Echo Request) is not accepted by default +# Enable it if you want remote hosts to be able to reach you. +# 11 (Time Exceeded) is the only one accepted +# that would not already be covered by the established +# connection rule. Applied to INPUT on the external interface. +# +# See: http://www.ee.siue.edu/~rwalden/networking/icmp.html +# for more info on ICMP types. +# +# Note that the stateful settings allow replies to ICMP packets. +# These rules allow new packets of the specified types. + +# ICMP packets should fit in a Layer 2 frame, thus they should +# never be fragmented. Fragmented ICMP packets are a typical sign +# of a denial of service attack. +$IPT -A icmp_packets --fragment -p ICMP -j LOG \ + --log-prefix "fp=icmp_packets:1 a=DROP " +$IPT -A icmp_packets --fragment -p ICMP -j DROP + +# Echo - uncomment to allow your system to be pinged. +# Uncomment the LOG command if you also want to log PING attempts +# +# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \ +# --log-prefix "fp=icmp_packets:2 a=ACCEPT " +# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT + +# By default, however, drop pings without logging. Blaster +# and other worms have infected systems blasting pings. +# Comment the line below if you want pings logged, but it +# will likely fill your logs. +$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP + +# Time Exceeded +$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT + +# Not matched, so return so it will be logged +$IPT -A icmp_packets -p ICMP -j RETURN + +# TCP & UDP +# Identify ports at: +# http://www.chebucto.ns.ca/~rakerman/port-table.html +# http://www.iana.org/assignments/port-numbers + +# udp_inbound chain +# +# This chain describes the inbound UDP packets it will accept. +# It's applied to INPUT on the external or Internet interface. +# Note that the stateful settings allow replies. +# These rules are for new requests. +# It drops netbios packets (windows) immediately without logging. + +# Drop netbios calls +# Please note that these rules do not really change the way the firewall +# treats netbios connections. Connections from the localhost and +# internal interface (if one exists) are accepted by default. +# Responses from the Internet to requests initiated by or through +# the firewall are also accepted by default. To get here, the +# packets would have to be part of a new request received by the +# Internet interface. You would have to manually add rules to +# accept these. I added these rules because some network connections, +# such as those via cable modems, tend to be filled with noise from +# unprotected Windows machines. These rules drop those packets +# quickly and without logging them. This prevents them from traversing +# the whole chain and keeps the log from getting cluttered with +# chatter from Windows systems. +$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP +$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP + +# Ident requests (Port 113) must have a REJECT rule rather than the +# default DROP rule. This is the minimum requirement to avoid +# long delays while connecting. Also see the tcp_inbound rule. +$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j REJECT + +# A more sophisticated configuration could accept the ident requests. +# $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j ACCEPT + + +# Not matched, so return for logging +$IPT -A udp_inbound -p UDP -j RETURN + +# udp_outbound chain +# +# This chain is used with a private network to prevent forwarding for +# UDP requests on specific protocols. Applied to the FORWARD rule from +# the internal network. Ends with an ACCEPT + + +# No match, so ACCEPT +$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT + +# tcp_inbound chain +# +# This chain is used to allow inbound connections to the +# system/gateway. Use with care. It defaults to none. +# It's applied on INPUT from the external or Internet interface. + +# Ident requests (Port 113) must have a REJECT rule rather than the +# default DROP rule. This is the minimum requirement to avoid +# long delays while connecting. Also see the tcp_inbound rule. +$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j REJECT + +# A more sophisticated configuration could accept the ident requests. +# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j ACCEPT + +# sshd +$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 3938 -j ACCEPT + + +# Not matched, so return so it will be logged +$IPT -A tcp_inbound -p TCP -j RETURN + +# tcp_outbound chain +# +# This chain is used with a private network to prevent forwarding for +# requests on specific protocols. Applied to the FORWARD rule from +# the internal network. Ends with an ACCEPT + + +# No match, so ACCEPT +$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT + +############################################################################### +# +# INPUT Chain +# + +echo "Process INPUT chain ..." + +# Allow all on localhost interface +$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT + +# Drop bad packets +$IPT -A INPUT -p ALL -j bad_packets + +# DOCSIS compliant cable modems +# Some DOCSIS compliant cable modems send IGMP multicasts to find +# connected PCs. The multicast packets have the destination address +# 224.0.0.1. You can accept them. If you choose to do so, +# Uncomment the rule to ACCEPT them and comment the rule to DROP +# them The firewall will drop them here by default to avoid +# cluttering the log. The firewall will drop all multicasts +# to the entire subnet (224.0.0.1) by default. To only affect +# IGMP multicasts, change '-p ALL' to '-p 2'. Of course, +# if they aren't accepted elsewhere, it will only ensure that +# multicasts on other protocols are logged. +# Drop them without logging. +$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP +# The rule to accept the packets. +# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT + + +# Inbound Internet Packet Rules + +# Accept Established Connections +$IPT -A INPUT -p ALL -i $INET_IFACE -m conntrack --ctstate ESTABLISHED,RELATED \ + -j ACCEPT + +# Route the rest to the appropriate user chain +$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound +$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound +$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets + +# Drop without logging broadcasts that get this far. +# Cuts down on log clutter. +# Comment this line if testing new rules that impact +# broadcast protocols. +$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP + +# Log packets that still don't match +$IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP " + +############################################################################### +# +# FORWARD Chain +# + +echo "Process FORWARD chain ..." + +# Used if forwarding for a private network + + +############################################################################### +# +# OUTPUT Chain +# + +echo "Process OUTPUT chain ..." + +# Generally trust the firewall on output + +# However, invalid icmp packets need to be dropped +# to prevent a possible exploit. +$IPT -A OUTPUT -p icmp -m conntrack --ctstate INVALID -j DROP + +# Localhost +$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT +$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT + +# To internet +$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT + +# Log packets that still don't match +$IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP " + +############################################################################### +# +# nat table +# +############################################################################### + +# The nat table is where network address translation occurs if there +# is a private network. If the gateway is connected to the Internet +# with a static IP, snat is used. If the gateway has a dynamic address, +# masquerade must be used instead. There is more overhead associated +# with masquerade, so snat is better when it can be used. +# The nat table has a builtin chain, PREROUTING, for dnat and redirects. +# Another, POSTROUTING, handles snat and masquerade. + +echo "Load rules for nat table ..." + +############################################################################### +# +# PREROUTING chain +# + + +############################################################################### +# +# POSTROUTING chain +# + + +############################################################################### +# +# mangle table +# +############################################################################### + +# The mangle table is used to alter packets. It can alter or mangle them in +# several ways. For the purposes of this generator, we only use its ability +# to alter the TTL in packets. However, it can be used to set netfilter +# mark values on specific packets. Those marks could then be used in another +# table like filter, to limit activities associated with a specific host, for +# instance. The TOS target can be used to set the Type of Service field in +# the IP header. Note that the TTL target might not be included in the +# distribution on your system. If it is not and you require it, you will +# have to add it. That may require that you build from source. + +echo "Load rules for mangle table ..." + diff --git a/sw_sysinstall.sh b/sw_sysinstall.sh new file mode 100644 index 0000000..b8eb31a --- /dev/null +++ b/sw_sysinstall.sh @@ -0,0 +1,83 @@ +#!/bin/bash + +####################################################### +# # +# An install script for zero-to-ready # +# remote development boxes on Slackware # +# !!! CURRENTLY UNTESTED !!! # +# # +# This assumes SSH Port is 3938, change this # +# in the rc.firewall file to make sure # +# iptables leaves it open for you. # +# # +# # +# Author: Taylor Bockman # +# # +# # +####################################################### + +# Add user +echo "Enter desired username:" +read $newuser +useradd -m -g users -G wheel,floppy,audio,video,cdrom,plugdev,power,netdev,lp,scanner -s /bin/bash $newuser + +# Modify sudoers to enable wheel group + + +# Install some critical packages +mkdir packages +cd packages + +# Install Curl +wget http://slackware.cs.utah.edu/pub/slackware/slackware64-14.1/slackware64/n/cyrus-sasl-2.1.23-x86_64-5.txz +wget http://slackware.cs.utah.edu/pub/slackware/slackware64-14.1/slackware64/n/curl-7.31.0-x86_64-1.txz + +upgradepkg --install-new cyrus-sasl-2.1.23-x86-64-5.txz +upgradepkg --install-new curl-7.31.0-x86_64-1.txz + +# Install libpcap and libnl for iptables +wget libpcap-1.4.0-x86_64-1.txz +wget libnl3-3.2.21-x86_64-1.txz + +upgradepkg --install-new libpcap-1.4.0-x86_64-1.txz +upgradepkg --install-new libnl3-3.2.21-x86_64-1.txz + +cd .. + +# Become user to install nix +echo "Becoming $newuser to install nix and packages..." +su $newuser +cd /home/$newuser + +# Install Nix +curl https://nixos.org/nix/install | sh + +# Append the right stuff to the ~/.profiles file so nix is ready + +# Install various nix packages + +packages=("emacs", "vim", "zsh", "git", "tmux", "libpcap") + +for package in "${packages[@]}" +do + : + nix-env -i $package +done + +# Symlink the rc.firewall to the right place +# !!!! THIS PART IS SUPER UNTESTED !!!!! +sudo ln -s /slackware-sysconfig/rc.firewall /etc/rc.d/rc.firewall +sudo chmod +x /etc/rc.d/rc.firewall + +# Use sed to configure /etc/ssh/sshd_config to be more secure + + +# Make zsh the default shell +command -v zsh | sudo tee -a /etc/shells +sudo chsh -s "$(command -v zsh)" "$USER" + +# cd into ~, git clone essentials + +# Run essentials dotfile install script + +# Restart sshd